Sandvine is a Canadian network equipment vendor founded in 2001, acquired by Procera Networks in 2017 and subsequently by Francisco Partners. The company’s PacketLogic platform performs deep packet inspection (DPI) at the carrier level, enabling internet service providers to identify, classify, and modify traffic. Sandvine equipment has been documented in multiple internet censorship and surveillance deployments globally, leading to US export restrictions and significant operational changes since 2023.
What it means in practice
PacketLogic enables ISPs to inspect every packet passing through the network, identify the protocol and the user, and apply traffic shaping or modification rules. In censorship deployments, this includes blocking specific websites, throttling specific protocols, and in documented cases injecting malicious content into unencrypted web traffic. Citizen Lab has documented Sandvine equipment being used in 2018 Turkey deployments to redirect users attempting to download the Tor Browser, instead serving them malicious spyware payloads.
Specific things to know
Sandvine’s customer list, partially exposed through investigative reporting and public documents, has included Egypt, Belarus, Turkey, the UAE, Algeria, Eritrea, Russia, and other governments with documented internet censorship practices. The US Department of Commerce added Sandvine to the Entity List in February 2024, citing the company’s role in internet censorship and the targeting of human rights activists. Sandvine responded with a public commitment to withdraw from 56 listed countries by mid-2025 and restructure its commercial operations.
Change today
For any user routing traffic through a network operator that may have Sandvine equipment, the operational answer is to use a properly configured VPN or Tor for any sensitive activity. Encrypted DNS (DNS over HTTPS or DNS over TLS) reduces but does not eliminate the inspection surface. The structural lesson is that the carrier is part of the threat model in many geographies, and that trust in the network is not a defensible default.
Related articles
See our coverage of deep packet inspection at the carrier level, the US Entity List actions against network equipment vendors, and the operational defences against ISP-level traffic interference.